pwn3d botnets

Two recent reports have been published that document how the C&C servers of two large botnets were accessed by researchers. The first comes from Finjan which discovered a botnet, dubbed Hexzone, with 1.9 million infected hosts. (Also see Jose Nazario’s post on this.) The second report documents the exploitation of the Torpig botnet by researchers at the University of California, Santa Barbara. They took control of Torpig for 10 days and discovered 182,800 bots on 1,247,642 IP addresses. (As a result the caution against relying on IP addresses and other measures such as unique ID’s assigned by the malware as a measure of the total number of infected hosts).

In the Hexzone case, Finjan was able to access a web interface to the control server located in Ukraine. Since, “folders on this server were left open” — which presumably means there was no password protection — they were able to access the web interface. The University of California researchers were able to crack the scheme used by Torpig to generate domain names that the attackers would register and use as control servers. The researchers registered the domain names that Torpig infected hosts were to connect to before the attackers did and we thus able to seize control of the bot net.

The Torpig botnet focused on collected financial information form infected hosts such as banking information, online trading, investment and payment services as well as credit card numbers. It also turns the infected host into a “proxy” that could be used for a variety of malicious purposes including pushing spam. The infected hosts could also be used to perform DDOS attacks. Torpig also collects:

messages that users of infected machines send, for example, through webmail systems, forums, and chats. Since the full content of these messages is captured by Torpig, they often contain detailed (and private) descriptions of the lives of their authors.

One of the most interesting observations in the report for me concerns the potential collaboration among multiple actors to exploit the information obtained from Torpig. The University of California note that there are a variety of “builds” and that the data collected is associated with particular builds.

Therefore, the most convincing explanation of the build type is that it denotes different “customers” of the Torpig botnet, who, presumably, get access to their data in exchange for a fee. If correct, this interpretation would mean that Torpig is actually used as a “malware service”, accessible to third parties who do not want or cannot build their own botnet infrastructure.

The Finjan also notes that Hexzone relied on partnerships to propagate:

These cybercriminals established a vast affiliation network across the Web to successfully distribute and operate their malware install-base.

Interesting stuff.

One comment.

Nice post Nart. I guess in the UK, this type of research would be considered a criminal act.